Where is your organization’s data? From global data centers to PCs to mobile apps, data is strewn all over the place. So how do you protect it all?

You can’t encrypt everything, right? It’s too expensive and time-consuming. Even the most stringent regulations don’t demand that level of data protection. For example, GDPR focuses primarily on personally identifiable information (PII). Still, you also want to protect your intellectual property from a data breach.

How can businesses determine which data needs to be protected? What is a data security strategy built upon? And what are some best practices to help avoid a company data breach? Let’s find out.

Data Protection Begins with Data Discovery

You can’t protect something if you don’t know where it lives. Data can be found stored in data centers, file shares, laptops, desktops, mobile devices, cloud storage and edge computing infrastructure. But you have to locate the data to protect it.

IT, security, legal and privacy teams can all participate in data discovery. As users create and add data throughout your enterprise, the data should not remain hidden in silos. The objective is to locate and index existing data and develop a system that continuously surfaces the data.

Before we look at data discovery solutions, let’s examine the next step in the process.

Data Classification

When you properly classify, tag or label your data, it’s easier to decide about data protection priorities. Classification helps put everyone on the same page about database security and data governance.

In the context of information security, data classification should be based on the level of value and risk the data represents. Ask yourself: what would be the impact on your organization if the data was disclosed, altered or destroyed?

Some organizations use these categories to classify data:

  • Restricted: Breach of restricted data would lead to significant organizational/affiliate risk or damage. This could be protected by privacy regulations and/or confidentiality agreements. Restricted data deserves the highest level of security.

  • Private: Exposure of private data represents a moderate level of risk to your organization. By default, all data not classified as restricted or public should be classified as private data. A reasonable level of security should be applied to private data.

  • Public: Breach of public data exposes you to little or no risk. Examples include press releases, blog articles, marketing videos and other widely available content. For public data, some level of control may be required to prevent unauthorized modification or destruction of the data.

The classification of data can also include data types, such as individual files, emails and database fields. Accurate classification (what the data is and the level of sensitivity) evolves over time. That’s why a systematic data lifecycle approach works best to keep security up to date.

If it seems like data discovery and classification are mountain-sized tasks, it’s because they are. For this reason, network analytics, AI and machine learning-based tools exist to streamline the process. These tools provide visibility, context and insight to continuously find and catalog sensitive and protected data. Proper data classification can also help form your data breach response plan.

Learn about IBM Security Guardium Insights

Determine Data Contextual Insight

Once your data has been classified, factors such as data flow and data use further determine specific protection methods. For example, you may have identified the location of restricted data, but how do you know who has access to it? Also, how do you manage the access? At this level, data visibilities, policies and monitoring are critical to helping discover vulnerabilities and risks.

The location of the data, such as on-premise or cloud, will influence your choice of security measures as well. Finally, your approach to compliance with privacy mandates will vary depending on the type of data and its use case.

So no, you don’t have to encrypt everything. But you want to identify the context when encryption is necessary, such as for sensitive data that transverses internal or external networks.

Apply Intelligent Security Measures

While we can’t address the full spectrum of data security in this article, we can highlight some of the most effective methods. While the above processes remain critical, the following tactics help achieve robust security for any organization. They can even fill gaps until data discovery and classification reach maturity.

Identity Access Management (IAM)

IAM establishes a detailed, nuanced evaluation of anyone that attempts to access your networks. It doesn’t matter if they are employees, partners, customers or threat actors.

With AI assistance, IAM follows pre-established access rules while also providing real-time insight into access trends. IAM enables accurate, contextual authentication that can account for user, device, location and behavior patterns. For example, instead of employees accumulating access privileges, they can be identified and granted only the access they currently need. With IAM in place, even non-humans (IoT) are required to pass authentication by API and application security.

Zero Trust

The goal of zero trust security is to create a secure layer around every user, device and connection at all times. This consists of the unification and integration of security tools to protect your most valuable assets and proactively manage threats.

Zero trust works from the premise that every user is considered a threat and requires ongoing validation. One key aspect of zero trust is the principle of least privilege. This means users get access to the smallest amount of IT resources they need to complete their tasks.

Data Disposal

Obsolete data sitting around on your servers isn’t just a storage problem. Old data retention represents an ongoing security risk. Therefore, it’s wise to develop a defensive data disposal plan.

If sensitive data is no longer required by real business interests, compliance mandates or data preservation obligations (investigations, litigation, etc.), then it should be disposed of. This can follow a process of data storage offline with eventual full decommissioning of hardware and disposal.

Obfuscate Data

Data obfuscation involves using data abstraction and obfuscation techniques like encryption, tokenization and masking. Data masking enables you to transform complex data elements such as credit card numbers, email addresses and other identifiers while retaining their contextual meaning. Obfuscated data is difficult to decrypt or recover, and therefore it has no value on Dark Web marketplaces.

Big Data Security

Even big data can be secured with automated data discovery and classification. Also, data activity monitoring and machine learning can uncover unusual activity to prevent the cost of a data breach. Advanced big data security tools enable administrators to block suspicious user IDs and meet compliance based on pre-built regulation templates.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today